my regex expression works properly but I since I'am newbie in splunk I didn't know how to get the rex expression. I would like to extract users that do not begin with PC, PRT and SRV. My regex expression is :
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624 | regex _raw!="Nom\Wdu\Wcompte\W:\s*(PC|SRV|PRT)"
Please advise?
Hey @Marwaig,
How about extracting all the users and then apply a condition that username != PC* OR PRT* OR SRV?
If you want to acheive this only via rex, could you post psuedo events?
I have extracted all users from my _audit logs using rex like rex field=_raw "User:\s(?P<Username>\w+)\s "
Then i added a condition like |search Username != "PC*" OR Username !="PRT*" etc.
Hope this helps!
Thanks,
Raghav
Hey @Marwaig,
How about extracting all the users and then apply a condition that username != PC* OR PRT* OR SRV?
If you want to acheive this only via rex, could you post psuedo events?
I have extracted all users from my _audit logs using rex like rex field=_raw "User:\s(?P<Username>\w+)\s "
Then i added a condition like |search Username != "PC*" OR Username !="PRT*" etc.
Hope this helps!
Thanks,
Raghav
Yes ! it works perfectly 😄 😄 thanks for the answer 🙂